On 2021-Jul-26, Tom Lane wrote:
> What if we allow event triggers owned by non-superusers, but only fire
> them on commands performed by the trigger's owner? This sidesteps all
> the issues of who has which privileges and whether Alice is malicious
> towards Bob or vice versa, because there is no change of privilege
> domain. Admittedly, it fails to cover some use-cases, but I think it
> would still handle a lot of interesting cases. The impression I have
> is that a lot of applications do everything under just one or a few
> roles.
This is similar but not quite an idea I had: have event triggers owned
by non-superusers run for all non-superusers, but not for superusers.
It is still the case that all non-superusers have to trust everyone with
the event-trigger-create permission, but that's probably the database
owner so most of the time you have to trust them already.
--
Álvaro Herrera Valdivia, Chile — https://www.EnterpriseDB.com/
"Saca el libro que tu religión considere como el indicado para encontrar la
oración que traiga paz a tu alma. Luego rebootea el computador
y ve si funciona" (Carlos Duclós)